Re: AUTH with sendmail and saslaud on FC3

[Alexander Dalloz <ad+lists@xxxxxxxxx>]

Am Mo, den 10.04.2006 schrieb Herward Hoyer (gua808) um 16:22:

> Hi I got a problem to authentificate with Sendmail AUTH.
> 
> my maillog:
> 
> AUTH: available mech=GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
> AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: no secret in database
> AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed
> AUTH failure (LOGIN): user not found (-20) SASL(-13): user not found: checkpass failed
> AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: no secret in database
> AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed
> AUTH failure (LOGIN): user not found (-20) SASL(-13): user not found: checkpass failed
> 
> But when i:
> testsaslauthd -u <user> -p <password>
> I can authentificate.

Same $USER used in both cases? If you auth against unix system users
your user has to be just "user" and not "user@realm".

> Some lines from my sendmail.mc

> define(`confAUTH_OPTIONS', `A')dnl
> define(`confAUTH_OPTIONS', `A p')dnl

Just 1 of the 2 lines above can be set! Either you require an SSL/TLS
encrypted connection for plaintext auth or not. Comment one of them with
a leading "dnl". Second alternate requires a working certificate setup.

> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Do not offer auth mechs which your backend does not provide! So remove
at least CRAM-MD5 and DIGEST-MD5. Else mail clients like Thunderbird try
to use them and will fail (Thunderbird gracefully falls back then
though).

> my /usr/lib/sasl2/Sendmail.conf
> pwcheck_method:saslauthd
> 
> The process:
> 11632 ?        Ss     0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1

Stop the saslauthd service and start it by hand in debug mode to see it
logging:

/usr/sbin/saslauthd -d -m /var/run/saslauthd -a pam -n 1

> cat /etc/pam.d/smtp
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth

And from PAM you auth against what? I guess unix system users.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 16:30:35 up 27 days, 17:18, load average: 0.23, 0.38, 0.18

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil